| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 107078 | 2010-02-03 07:37:00 | IS2010.exe/IS15.exe | linw (53) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 854927 | 2010-02-03 07:37:00 | Got a client's machine that has had both these trojans picked up by Malwarebytes . The offending exe's have been deleted but there is something still active . FF is now occasionally getting a new tab created with sites related to gambling and adsmarket . I am getting the machine tomorrow so am going to run TrojanRemover and I will check the registry entries connected with IS15 but if anyone has any specific advice it will be welcomed . At the end of the day, I just may have to wipe the disk and start again but I am trying to avoid that! I will post a HJT log tomorrow as well . TIA . |
linw (53) | ||
| 854928 | 2010-02-03 07:50:00 | double post | Speedy Gonzales (78) | ||
| 854929 | 2010-02-03 07:51:00 | Looks like it belongs to this (www.bleepingcomputer.com). I would take it off the net till you fix it | Speedy Gonzales (78) | ||
| 854930 | 2010-02-03 08:55:00 | Yep, that is certainly what it was/is . I think this comp was attacked via a script in an mp3 file that loaded a trojan loader . The rest (including a password copier) got loaded from there . Malwarebytes and MSE found and deleted several baddies but there is still something else lurking . |
linw (53) | ||
| 854931 | 2010-02-03 10:37:00 | Disable system restore then do a scan with TR. And reset everything after. Under the utils menu | Speedy Gonzales (78) | ||
| 854932 | 2010-02-03 19:42:00 | HJT log shows a peculiar service (GVYGFFBH.exe). This doesn't show in Task Manager. TR didn't find anything, incl file above. MSE - nothing. MBAM - nothing. Current symptoms are tabs with mainly gambling sites spontaneously appear in FF. Will run FF in safe mode to see whether this still occurs. Out for a few hours so will check back then. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 8:02:10 a.m., on 4/02/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18882) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Samsung\Emodio\SMSTray.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\devnz\gbpvr\GBPVRTray.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe C:\Windows\system32\taskmgr.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Emodio\SMSTray.exe O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\devnz\gbpvr\GBPVRTray.exe O4 - Startup: pvr150-1.bat - Shortcut.lnk = J:\GB Recorder\pvr150-1.bat O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - h20264.www2.hp.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe O23 - Service: Google Update Service (gupdate1c9d45e61575d92) (gupdate1c9d45e61575d92) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: GVYQFFBH - Sysinternals - www.sysinternals.com - C:\Users\Rob\AppData\Local\Temp\GVYQFFBH.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe -- End of file - 6348 bytes |
linw (53) | ||
| 854933 | 2010-02-03 19:50:00 | Ah, that GVYQFFBH.exe is sysinternal's rootkit revealer which I ran earlier. | linw (53) | ||
| 854934 | 2010-02-03 19:52:00 | Did you select all options under utilities in TR as well?? After updating it then clicking on scan? Trojan remover does scan for rootkits Uninstall all versions of java, then update it. Its out of date What does this do? O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup Is it a search program for windows? |
Speedy Gonzales (78) | ||
| 854935 | 2010-02-03 19:56:00 | I encountered a PC with this the other day, scanned & cleaned with MBAM and NOD32, then had to edit the userinit registry key, found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu rrentVersion\Winlogon The infection had changed the value of UserInit to winlogon32.exe instead of userinit.exe However there were a handful of other infections on that PC also so this may or may not have been a direct result of the IS2010. |
inphinity (7274) | ||
| 854936 | 2010-02-04 08:51:00 | Speedy, everything.exe is a VERY efficient file indexer so is kosher. Updated Java. I didn't click the utilities options but have done that now. I have checked for all the known files created e.g. smss32.exe, helper32.dll, winlogon32.exe etc but none are there. I have checked the known changes to registry and only found one entry that shouldn't have been there. HKCU\Software\8636065b-fef0 .... etc. Deleted that (it was supposed to load smss32.exe on startup but I have never found this exe). No bogus sites loaded for an hour so that is good but I am not convinced the problem has gone away yet. Time will tell. |
linw (53) | ||
| 1 2 | |||||